b'   December 30, 2005\n\n\n\n\nInformation Technology Management\n\nSecurity Status for Systems Reported in\nDoD Information Technology Databases\n(D-2006-042)\n\n\n\n\n            Department of Defense\n           Office of Inspector General\nQuality             Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit, Audit Followup and Technical Support at (703)\n  604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and Technical\n  Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932. Ideas and requests\n  can also be mailed to:\n\n                      ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                        Department of Defense Inspector General\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nASD(NII)/CIO          Assistant Secretary of Defense for Networks and Information\n                         Integration/Chief Information Officer\nCFO                   Chief Financial Officer\nCIO                   Chief Information Officer\nCIR                   Capital Investment Report\nDITPR                 DoD IT Portfolio Repository\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nFIPS                  Federal Information Processing Standards\nFISMA                 Federal Information Security Management Act\nGAO                   General Accountability Office\nIT                    Information Technology\nITMA                  Information Technology Management Application\nOMB                   Office of Management and Budget\nOSD                   Office of the Secretary of Defense\nSNaP-IT               Select Native Programming - Information Technology\nUSD(C)/CFO            Under Secretary of Defense (Comptroller)/Chief Financial Officer\n\x0c                              INSPECTOR GENERAL\n                             DEPARTMENT OF DEFENSE\n                                400 ARMY NAVY DRIVE\n                           ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                          December 30,2005\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                  AND INFORMATION INTEGRATIONICHIEF\n                  INFORMATION OFFICER\n\nSUBJECT: Report on Security Status for Systems Reported in DoD Information Technology\n         Databases (Report No. D-2006-042)\n\n\n     We are providing this report for review and comment. We considered management\ncomments on a draft of this report when preparing the final report.\n\n        DoD Directive 7650.3 requires that all recommendations be resolved promptly. The\ncomments of the Deputy Assistant Secretary of Defense for Networks and Information\nIntegratiodDeputy Chief Information Officer, responding for the Assistant Secretary of\nDefense for Networks and Information IntegratiodChief Information Officer, were partially\nor nonresponsive to most of the recommendations. Therefore, we request that the Assistant\nSecretary of Defense for Networks and Information IntegrationIChief Information Officer\nprovide additional comments on those recommendations by January 27,2006.\n\n         If possible, please send management comments in electronic format (Adobe Acrobat\nfile only) to AudATM(ii)dodia.osd.mil. Copies of the management comments must contain\nthe actual signature of the authorizing official. We cannot accept the 1 Signed I symbol in\nplace of the actual signature. If you arrange to send classified comments electronically, they\nmust be sent over the SECRET Internet Protocol Router Network (SIPRNET).\n\n       We appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Kathryn M. Truex at (703) 604-8966 (DSN 664-8966) or Ms. Karen J. Lamar at (703)\n604-9005 (DSN 664-9005). The team members are listed inside the back cover. See\nAppendix F for the report distribution.\n\n                                   By direction of the Deputy Inspecm r a l for Auditing:\n\n\n\n\n                                        Assistant Inspect& General\n                                for Acquisition and Technology Management\n\x0c                    Department of Defense Office of Inspector General\nReport No. D-2006-042                                                      December 30, 2005\n   (D2005-D000AL-0156.000)\n\n             Security Status for Systems Reported in DoD Information\n                               Technology Databases\n\n                                     Executive Summary\n\nWho Should Read This Report and Why? DoD managers to include, but not limited to, all\nComponent Chief Information and Chief Financial Officers responsible for reporting and certifying\nsecurity information in the Information Technology (IT) Registry and in the Information\nTechnology Management Application (ITMA) and their follow-on databases, the DoD IT Portfolio\nRepository and Select Native Programming - IT, and program office and headquarters personnel\nresponsible for inputting information into DoD IT databases should read this report to improve the\nquality of data being relied upon to make management and budget decisions.\n\nBackground. Improving IT security is one of the Office of Management and Budget\xe2\x80\x99s highest\npriorities in IT management. DoD reports the security status of mission critical, mission essential,\nand select mission support systems in the IT Registry database and budget data on their IT\ninvestments in the ITMA database. The IT Registry and ITMA are the only DoD-wide mechanisms\nin place that DoD managers have to report the security status of DoD Component IT systems. The\nDoD CIO Memorandum, \xe2\x80\x9cDoD Information Technology Registry Guidance for Fiscal Year 2005,\xe2\x80\x9d\nDecember 21, 2004, required that all DoD Component Chief Information Officers update and\nmaintain their respective Component\xe2\x80\x99s input to the IT Registry; certify that all mission critical and\nmission essential systems are included in the IT Registry to include at least 50 percent of all mission\nsupport systems by December 1, 2005 and 100 percent by September 30, 2006; and ensure\nconsistency between the IT Registry and ITMA.\n\nThe IT Registry is intended to provide a DoD-wide inventory of mission critical, mission essential,\nand select mission support systems and contains data elements which are populated by DoD\nComponents that provide the security status of their IT systems. The IT Registry is used to report to\nthe Office of Management and Budget and to Congress on the effectiveness of DoD Component and\nDoD-wide security programs. All systems included in the IT Registry will be merged into the DoD\nIT Portfolio Repository by January 31, 2006, in accordance with guidance issued by the Deputy\nChief Information Officer on September 28, 2005.\n\nITMA was the authoritative source for DoD IT budget information through completion of the\nDepartment\xe2\x80\x99s FY 2006 IT budget preparation and submission. The follow-on database, Select\nNative Programming \xe2\x80\x93 IT, will be used as the authoritative source for FY 2007 and beyond. DoD\nComponents must submit an Exhibit 300, \xe2\x80\x9cCapital Investment Report,\xe2\x80\x9d for all major\nIT investments. DoD uses ITMA to plan, coordinate, and disseminate DoD IT budget exhibits and\nas the primary means of justifying and managing IT investments. DoD Components use the CIR to\nshow management and the Office of Management and Budget that the Component has employed the\ndisciplines of good project management; presented a strong business case for the investment; and\ndefined the proposed costs, schedule, and performance goals for the investment if funding approval\nis obtained.\n\nResults. DoD Components did not accurately report the same IT system security data in the\nIT Registry and the ITMA databases. Specifically, 120 of 148 IT systems (81 percent) reported in\nFY 2006 President\xe2\x80\x99s Budget Capital Investment Reports did not match to reports on the same\n\n\n                                                  i\n\x0csystems in the IT Registry and 87 of 148 IT Registry reports (59 percent) were not internally\nconsistent between the system mission criticality and the mission assurance category data\nelements. Additionally, DoD Components did not submit timely, accurate, or complete\nIT Registry certification and ITMA compliance statements to the Assistant Secretary of Defense\nfor Networks and Information Integration/Chief Information Officer. As a result, DoD, the Office\nof Management Budget, and Congressional Committees are making management decisions\nconcerning technology operations, investments, security, interoperability, and architecture, based\nupon erroneous information contained in DoD databases.\n\nRecommendations made in two prior DoD Office of the Inspector General audit reports identified\nweaknesses in management controls for accurate, consistent, and efficient reporting of IT system\ninformation in DoD IT databases. Those recommendations, if implemented, would have\naddressed part of the cause discussed in the Finding section of this report.\n\nWe recommend that the Assistant Secretary of Defense for Networks and Information\nIntegration/Chief Information Officer ensure that information in DoD IT databases is accurate and\ncomplete. Specifically, we recommend that the Assistant Secretary of Defense for Networks and\nInformation Integration/Chief Information Officer immediately commence utilization of\nautomatic data integrity controls on DoD-wide IT databases; identify and impose penalties on\nthose DoD Component Chief Information Officers that did not implement controls, reconcile DoD\ndatabases at least quarterly, and populate all required data elements; impose sanctions beginning\nfirst quarter FY 2006 on those DoD Components that do not submit an IT Registry/DoD\nInformation Technology Portfolio Repository certification statement prior to the due date stating\nthat their Component information is complete and correct; require DoD Component Chief\nInformation Officers to submit IT Registry/DoD Information Technology Portfolio Repository\ncertifications prior to submitting the DoD Federal Information Security Management Act Report\nto the Office of Management and Budget; advise the Office of Management and Budget and\nCongress that DoD does not have viable internal controls over the accuracy of data it is reporting\nconcerning the security of its IT systems; develop internal control mechanisms, report the DoD\ndatabase discrepancies as a material control weakness, and develop a plan to track and correct\nconditions; and adopt National Institute of Standards and Technology Standards to categorize\ntheir IT systems. See the Finding section of the report for detailed recommendations.\n\nManagement Comments and Audit Response. The comments of the Deputy Assistant\nSecretary of Defense for Networks and Information Integration/Deputy Chief Information Officer,\nresponding for the Assistant Secretary of Defense for Networks and Information Integration/Chief\nInformation Officer, were partially responsive or nonresponsive to most of the recommendations.\nSee the Finding section of the report for a discussion of management comments on the\nrecommendations and the Management Comments section of the report for the complete text of\nthe comments.\n\nWe request that the Assistant Secretary of Defense for Networks and Information\nIntegration/Chief Information Officer comment on this report by January 27, 2006.\n\n\n\n\n                                                ii\n\x0cTable of Contents\n\nExecutive Summary                                                                i\n\nBackground                                                                      1\n\nObjectives                                                                      2\n\nFinding\n     DoD Information Technology Databases                                        4\n\nAppendixes\n     A.   Scope and Methodology                                                 21\n     B.   Prior Coverage                                                        22\n     C.   Information Technology Registry Systems Reviewed                      24\n     D.   Mission Assurance Category and Mission Criticality Definitions        30\n     E.   Summary of Data Elements and DoD Components Reviewed                  31\n     F.   Report Distribution                                                   32\n\nManagement Comments\n     Assistant Secretary of Defense for Networks and Information Integration/\n           Chief Financial Officer                                              35\n\x0cBackground\n\n         Improving information technology (IT) security is one of the Office of Management\n         and Budget\xe2\x80\x99s (OMB) highest priorities in IT management. In addition, Congress has\n         challenged the quality of DoD IT management because IT documents and associated\n         budget data that DoD provided were inaccurate, misleading, or incomplete. DoD\n         reports the security status of their mission critical, mission essential, and select\n         mission support systems in the IT Registry database and budget data on their IT\n         investments in the Information Technology Management Application (ITMA)\n         database. The IT Registry and ITMA are the only DoD mechanisms in place that\n         managers DoD wide have to report the security status of DoD Component\n         IT systems. Both databases are in a state of flux and are scheduled to be replaced by\n         the DOD IT Portfolio Repository (DITPR) and the Select Native Programming \xe2\x80\x93\n         Information Technology (SNaP-IT) respectively in FY 2006. The Assistant\n         Secretary of Defense for Networks and Information Integration/Chief Information\n         Officer (ASD[NII]/CIO), is the principal staff assistant to the Secretary of Defense\n         for DoD IT.\n\n         The DoD CIO Memorandum, \xe2\x80\x9cDoD Information Technology Registry Guidance for\n         Fiscal Year 2005,\xe2\x80\x9d December 21, 2004, required that all DoD Component Chief\n         Information Officers (CIOs) update and maintain their respective Component\xe2\x80\x99s input\n         to the IT Registry on at least a quarterly basis; certify that all mission critical and\n         mission essential systems are included in the IT Registry and enter at least 50 percent\n         of all mission support systems by December 1, 2005, 75 percent by March 1, 2006,\n         and 100 percent by September 30, 2006; and ensure consistency between DoD wide\n         databases, such as the IT Registry, DITPR, ITMA, and SNaP-IT.\n\n         Information Technology Registry. The IT Registry is used as the official DoD\n         database to meet external and internal reporting requirements. The IT Registry is\n         intended to provide a DoD-wide inventory of mission critical and mission essential\n         systems, and by September 30, 2006, will include all mission support systems. The\n         IT Registry contains fields or \xe2\x80\x9cdata elements\xe2\x80\x9d which are populated by DoD\n         Components that provide a security status on their IT systems for such items as\n         accreditation requirements; risk management, security, and incident response plans;\n         and security control test information.\n\n         Information in the IT Registry is being used in FY 2005 to compile reports required\n         by the Federal Information Security Management Act (FISMA) of 2002.\n         Specifically, data elements in the IT Registry are used to compile the annual report to\n         OMB and Congress on the effectiveness of DoD security programs, the quarterly\n         report to OMB on the agency system and program metrics, and the E-Authentication\n         Report and Privacy Act Assessments, which implement the E-Government Act.1\n         During FY 2005, DoD planned to merge the IT Registry with the DITPR database,\n         which will become the official unclassified DoD data source for FISMA;\n         E-Authentication; Portfolio Management; Privacy Impact Assessments; the inventory\n\n1\n The E-Government Act enhances the management and promotion of electronic Government services and\n  processes by establishing a Federal CIO within OMB. It also establishes a broad framework of measures that\n  require using Internet-based IT to enhance citizen access to Government information and services and to ensure\n  privacy.\n\n\n\n                                                       1\n\x0c         of mission critical, mission essential, and mission support systems; and the registry\n         for systems under the DoD Instruction 5000.2.\n\n         Information Technology Management Application. DoD uses ITMA to plan,\n         coordinate, and disseminate DoD IT Exhibit 300 Reports2 (Capital Investment\n         Reports [CIRs]) as required by OMB and Congress. For the FY 2006 President\xe2\x80\x99s\n         Budget Request, ASD(NII)/CIO forwarded 172 CIRs, totaling $30 billion, to OMB.\n         The CIR is the primary means of justifying and managing major IT investments.\n         Public Law 104-106, \xe2\x80\x9cNational Defense Authorization Act for Fiscal Year 1996,\xe2\x80\x9d\n         division E, \xe2\x80\x9cInformation Technology Management Reform,\xe2\x80\x9d February 10, 1996,\n         commonly called the \xe2\x80\x9cClinger-Cohen Act,\xe2\x80\x9d requires effective and efficient capital\n         planning processes for selecting, managing, and evaluating the results of all major\n         IT investments. The Clinger-Cohen Act requires executive agencies to establish\n         goals for improving the efficiency and effectiveness of agency operations through the\n         effective use of IT and to submit an annual report to Congress on its progress in\n         achieving those program goals. DoD uses the CIR to meet that annual reporting\n         requirement to Congress.\n\n         DoD Regulation 7000.14-R, \xe2\x80\x9cFinancial Management Regulation,\xe2\x80\x9d volume 2b,\n         chapter 18, \xe2\x80\x9cInformation Technology Resources and National Security Systems,\xe2\x80\x9d\n         June 2004, required all DoD Components that have any resource obligations for IT or\n         national security systems to submit a CIR that is complete, accurate, and consistent\n         with the requirements of the Clinger-Cohen Act and OMB Circular A-11,\n         \xe2\x80\x9cPreparation, Submission, and Execution of the Budget,\xe2\x80\x9d part 7, section 300,\n         \xe2\x80\x9cPlanning, Budgeting, Acquisition, and Management of Capital Assets,\xe2\x80\x9d July 2004.\n         DoD Components must submit an Exhibit 300 or CIR for all major IT investments.3\n         DoD Components use the CIR to show management and OMB that the Component\n         has employed the disciplines of good project management; presented a strong\n         business case for the investment; and defined the proposed costs, schedule, and\n         performance goals for the investment if funding approval is obtained. When\n         submitted, the CIR should be complete and accurate and provide all required\n         information to OMB.\n\n         In FY 2005, DoD began transitioning from ITMA to the SNaP-IT database, which is\n         being utilized for the collection and reporting of FY 2007 IT budget information.\n\n\nObjectives\n\n         The overall audit objective was to assess the consistency of information that DoD\n         Components report to the Office of the Secretary of Defense (OSD), OMB, and\n         Congress on the security status of their IT systems. Specifically, the audit determined\n         whether information in ITMA, which is used to prepare the DoD IT budget request\n         and CIRs, is consistent with system security information in the IT Registry, which is\n\n\n2\n An Exhibit 300 is also referred to as a CIR.\n3\n Major IT investments require special management attention because of their importance to an agency\xe2\x80\x99s mission,\n are for financial management and more than $500,000, have high executive visibility, and are defined as major\n investments by the agency\xe2\x80\x99s capital planning and investment control process.\n\n\n\n                                                      2\n\x0c    used to prepare the DoD FISMA Report, and in accordance with OMB and DoD\n    guidance. See Appendix A for discussion of the scope and methodology.\n\n\nManagement Controls\n\n    We did not review management\xe2\x80\x99s self-evaluation over the adequacy of their\n    management controls. The audit focused on the accuracy of reporting security\n    information by DoD Components in the IT Registry and ITMA databases. We\n    identified that management at all levels omitted material internal controls that would\n    ensure that security information in DoD databases was consistent. Specifically, data\n    elements in the IT Registry and the ITMA databases did not identify the same\n    information for the same system and therefore, did not demonstrate that the DoD CIO\n    and Chief Financial Officer (CFO) communities had implemented sufficient controls\n    to ensure that the reporting of system security information in those databases was\n    accurate and complete. See the Finding section of the report for detailed discussions\n    of the management control weaknesses.\n\n\n\n\n                                          3\n\x0c            DoD Information Technology Databases\n            DoD Components did not accurately report the same IT system security data\n            in the IT Registry and ITMA databases. We reviewed the security data\n            elements for 148 IT systems reported in both databases and determined that:\n\n                    \xe2\x80\xa2   120 systems (81 percent) reported in the IT Registry did not\n                        match their corresponding CIRs in ITMA; and\n\n                    \xe2\x80\xa2   87 IT Registry reports (59 percent) were not internally consistent\n                        between the system mission criticality and the mission assurance\n                        category data elements.\n\n            Additionally, DoD Components did not submit timely, accurate, or complete\n            IT Registry certifications and ITMA compliance statements to the\n            ASD(NII)/CIO. The IT system security data elements were not correctly\n            reported because the Component CIO and CFO communities did not enact\n            sufficient controls or conduct reviews to ensure that information in FY 2006\n            CIRs and in IT Registry Reports was the same information being reported in\n            both databases. As a result, DoD, OMB, and Congressional Committees may\n            be making management decisions concerning technology operations,\n            investments, security, interoperability, and architecture, based upon erroneous\n            information contained in the IT Registry and ITMA databases, which are used\n            by DoD as the only means to report the security status of their IT systems and\n            for making enterprise-wide investment and budgetary decisions.\n\n\nDoD Information Technology Reporting\n    The DoD CIO Memorandum, \xe2\x80\x9cDoD Information Technology Registry Guidance for\n    Fiscal Year 2005,\xe2\x80\x9d December 21, 2004, required all DoD Component CIOs to ensure\n    consistency between DoD databases, such as the IT Registry, DITPR, and ITMA.\n    DoD Component security-related data element entries in ITMA and the IT Registry\n    databases did not demonstrate that DoD CIOs were ensuring consistency and\n    synchronization of Component system data in both databases. Specifically, 120 of\n    148 IT systems (81 percent) reported in IT Registry reports with corresponding\n    FY 2006 CIRs showed that the same security data elements in both reports were\n    either inconsistent or missing for testing, accreditation, and planning information.\n    See Appendix C for listing of DoD IT systems reviewed.\n\n    Security Control Test Date. For all IT systems, DoD Components are required to\n    provide the date of the most recent security control test performed for data elements\n    in both the IT Registry and ITMA. However, for 112 of 148 IT systems (76 percent)\n    reviewed, the security control test date data element was not consistent between the\n    IT Registry and ITMA. Specifically, 77 of 112 IT Registry and ITMA reports\n    identified a security control test date; however, the dates did not match. Additionally,\n    21 IT Registry reports did not identify a security control test date when the\n    corresponding ITMA CIR did, 2 ITMA CIRs did not identify a security control test\n    date when the corresponding IT Registry report contained a date, 8 IT Registry and\n    ITMA reports contained no responses for the security control test date, and\n\n\n                                           4\n\x0c3 IT Registry reports identified dates for when the system\xe2\x80\x99s last security control tests\noccurred; however, the ITMA CIR explicitly stated that the systems had not been\ntested for security. Lastly, one IT Registry report stated \xe2\x80\x9cnot applicable\xe2\x80\x9d for the\nsecurity control test date data element, while its corresponding ITMA CIR stated that\nthe system had been tested. Table 1 identifies the discrepancy between IT Registry\nreports and ITMA CIRs for the security control test date data element.\n\n\n       Table 1. Comparison of the Security Control Test Date Data Element\n           Between IT Registry and ITMA Capital Investment Reports\n\n                                      Systems                  System Reports\n                                     Reviewed                  Did Not Agree                Percent\n Army                                     32                            27                   84.4\n Navy                                     33                            27                   81.8\n Air Force                                19                            15                   78.9\n Defense Agencies                         64                            43                   67.2\n     Total                               148                          112                    75.7*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nAccreditation Date. DoD Components are required to identify the date an IT system\nhas been accredited, or certified to operate, in IT Registry and ITMA Capital\nInvestment Reports. Of 148 IT systems reviewed, 49 ITMA CIRs (33 percent) did\nnot match corresponding IT Registry reports for the accreditation date data element.\nSpecifically, 30 of 49 ITMA CIRs identified dates that did not match IT Registry\nreports, 5 IT Registry reports and 13 ITMA CIRs provided no response, and\n1 IT Registry report stated that the accreditation date data element was \xe2\x80\x9cnot\napplicable\xe2\x80\x9d when the corresponding ITMA CIR contained an accreditation date.\nTable 2 identifies the discrepancy between IT Registry and ITMA Capital Investment\nReports for the accreditation date data element.\n\n\n\n\n                                               5\n\x0c      Table 2. Comparison of the Accreditation Date Data Element Between IT\n                 Registry and ITMA Capital Investment Reports\n\n                                         Systems               System Reports\n                                         Reviewed              Did Not Agree                Percent\n  Army                                         32                      12                     37.5\n  Navy                                         33                      12                     36.4\n  Air Force                                    19                       8                     42.1\n  Defense Agencies                             64                      17                     26.6\n      Total                                  148                       49                     33.1*\n  *\n      This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nAccreditation Status. DoD Components are required to provide the accreditation\nstatus for systems in all IT Registry and ITMA Capital Investment Reports that have\nundergone a certification and accreditation process. Systems that have undergone a\ncertification and accreditation process may be granted an authority to operate, an\ninterim authority to operate, an interim authority to test, or a denial of authority to\noperate. Of the 148 IT systems reviewed, 19 ITMA CIRs (13 percent) did not match\ncorresponding IT Registry reports for the accreditation status data element.\nSpecifically, 13 of those 19 systems did not report the same accreditation status in\nIT Registry and ITMA Capital Investment Reports, 1 ITMA CIR and 3 IT Registry\nreports left the accreditation status data element blank, and 2 IT Registry reports\nstated that the accreditation data element was \xe2\x80\x9cnot applicable\xe2\x80\x9d when the\ncorresponding ITMA CIRs stated that the systems had an interim authority to operate.\nTable 3 identifies the discrepancy between IT Registry and ITMA Capital Investment\nReports for the accreditation status data element.\n\n\n      Table 3. Comparison of the Accreditation Status Data Element Between IT\n                  Registry and ITMA Capital Investment Reports\n\n                                           Systems              System Reports\n                                          Reviewed              Did Not Agree                 Percent\n  Army                                         32                           5                   15.6\n  Navy                                         33                           6                   18.2\n  Air Force                                    19                           5                   26.3\n  Defense Agencies                             64                           3                    14.1\n      Total                                   148                       19                      12.8*\n  *\n   This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\n\n                                                  6\n\x0cAccreditation Method. DoD Components are required to report the standard used\nwhen accrediting an IT system. DoD Directive 8500.1, "Information Assurance,"\nOctober 24, 2002, requires that all DoD IT systems utilize the DoD Information\nTechnology Security Certification and Accreditation Process (DITSCAP) to grant\ncertification and accreditation to any DoD IT system. The accreditation methodology\ndata element for 12 of 148 ITMA CIRs (8 percent) reviewed did not match\ninformation in corresponding IT Registry reports. Specifically, six IT Registry\nreports and two ITMA CIRs did not provide a response for the accreditation method\ndata element, one IT Registry report and its matching ITMA CIR identified differing\naccreditation methods, and three IT Registry reports stated \xe2\x80\x9cnot applicable\xe2\x80\x9d when\ntheir corresponding ITMA CIRs identified that the DITSCAP was used. Table 4\nidentifies the discrepancy between the IT Registry reports and ITMA CIRs for the\naccreditation method data element.\n\n\n     Table 4. Comparison of the Accreditation Method Data Element Between IT\n                 Registry and ITMA Capital Investment Reports\n\n                                         Systems                System Reports\n                                        Reviewed                Did Not Agree               Percent\n Army                                         32                          2                     6.3\n Navy                                         33                          2                     6.1\n Air Force                                    19                          4                   21.1\n Defense Agencies                             64                          4                     6.3\n     Total                                  148                          12                     8.1*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nAccreditation Required. DoD Components are required to state in IT Registry and\nITMA Capital Investment Reports whether a system is required to complete a\nDoD-approved IT security certification and accreditation process. The data element\nfor whether an accreditation was required for 6 of the 148 ITMA CIRs (4 percent)\nreviewed was not consistent with corresponding IT Registry reports. Specifically,\nfour of the six IT Registry reports stated that an accreditation was not required when\nthe corresponding ITMA CIRs stated that it was, one IT Registry report did not\nprovide a response for the accreditation required data element when the ITMA CIR\nstated that the accreditation was required, and the last IT Registry report stated that\naccreditation was required when the corresponding CIR stated that it was not.\nTable 5 identifies the discrepancy between IT Registry reports and ITMA CIRs for\nthe accreditation required data element.\n\n\n\n\n                                               7\n\x0c     Table 5. Comparison of the Accreditation Required Data Element Between\n                IT Registry and ITMA Capital Investment Reports\n\n                                         Systems                System Reports\n                                        Reviewed                Did Not Agree               Percent\n Army                                          32                         1                   3.2\n Navy                                          33                         2                   6.1\n Air Force                                     19                         2                  10.5\n Defense Agencies                              64                         1                   1.6\n     Total                                  148                           6                   4.1*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nSystem Security Authorization Agreement Status. For each IT system, the\nIT Registry and ITMA Capital Investment Reports provided a system security\nauthorization agreement status, which is based on the method used to certify and\naccredit that an IT system has the authority to operate. The DITSCAP is used to\ncertify and accredit a DoD IT system and is divided into four phases. Sixteen of the\n148 ITMA CIRs (11 percent) reviewed did not match to the phase being reported in\ncorresponding IT Registry reports. Specifically, information for the system security\nauthorization agreement status for 3 of 16 ITMA CIRs did not agree with the\ncorresponding IT Registry report, 12 IT Registry reports did not provide a response\nfor system security authorization agreement status data element, and 1 IT Registry\nreport stated \xe2\x80\x9cnot applicable\xe2\x80\x9d for the system security authorization agreement status\ndata element. Table 6 identifies the discrepancy between IT Registry reports and\nITMA Capital Investment Reports for the system security authorization agreement\nstatus data element.\n\n\n     Table 6. Comparison of the System Security Authorization Agreement Status\n      Data Element Between IT Registry and ITMA Capital Investment Reports\n\n                                     Systems                System Reports\n                                    Reviewed                Did Not Agree                  Percent\n Army                                     32                          4                      12.5\n Navy                                     33                          8                      24.2\n Air Force                                19                          2                      10.5\n Defense Agencies                         64                          2                        3.1\n     Total                              148                          16                      10.8*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\n\n                                                8\n\x0cRisk Management Plan. DoD Components are required to report whether an\nIT system has a risk management plan. That plan identifies the risks and\nvulnerabilities associated with the system, assesses the sensitivity of the data, and\nidentifies the approach to mitigate those risks and vulnerabilities. For 16 of the\n148 ITMA CIRs (11 percent) reviewed, the corresponding IT Registry reports for the\nrisk management plan data element did not match. Specifically, 10 IT Registry\nreports did not provide a response for the risk management plan data element when\nthe ITMA CIR identified that there was a plan for the system, and 4 IT Registry\nreports stated that the plan was \xe2\x80\x9cnot applicable\xe2\x80\x9d when the corresponding ITMA CIRs\nstated that a risk management plan was in place. Additionally, two IT Registry\nreports stated that there was no risk management plan for the system, while the\ncorresponding ITMA CIR explicitly stated that there was a plan. Table 7 identifies\nthe discrepancy between IT Registry and ITMA Capital Investment Reports for the\nrisk management plan data element.\n\n\n Table 7. Comparison of the Risk Management Plan Data Element Between IT\n              Registry and ITMA Capital Investment Reports\n\n                                    Systems                 System Reports\n                                    Reviewed                Did Not Agree                  Percent\n Army                                     32                          5                      15.6\n Navy                                     33                          3                        9.1\n Air Force                                19                          2                      10.5\n Defense Agencies                         64                          6                        9.4\n     Total                              148                          16                      10.8*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nSecurity Plan. DoD Components are required to state whether each IT system has a\nsystem security plan. The system security plan provides an overview of the security\nrequirements of the system and describes the controls in place or planned for meeting\nthose requirements. Sixteen of the 148 ITMA CIRs (11 percent) reviewed did not\nmatch the corresponding IT Registry reports for the security plan data element.\nEleven of the 16 ITMA CIRs had blank security plan information in their IT Registry\nreports, and three ITMA CIRs provided a response that did not match IT Registry\nreports. Two IT Registry reports stated that a security plan was \xe2\x80\x9cnot applicable\xe2\x80\x9d\nwhen corresponding ITMA CIRS identified that a security plan was in place. Table 8\nidentifies the discrepancy between IT Registry reports and ITMA CIRs for the\nsecurity plan data element.\n\n\n\n\n                                               9\n\x0c Table 8. Comparison of the Security Plan Data Element Between IT Registry\n                  and ITMA Capital Investment Reports\n\n                                       Systems                System Reports\n                                      Reviewed                Did Not Agree                Percent\n Army                                      32                           5                   15.6\n Navy                                      33                           5                     5.2\n Air Force                                 19                           2                   10.5\n Defense Agencies                          64                           4                     6.3\n     Total                                148                         16                     10.8*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nSecurity Incident Response Plan. DoD Components are required to report whether\ntheir IT systems had controls in place to recognize, report, monitor, and efficiently\nhandle security incidents and share this information with the appropriate\norganizations. Fifteen of the 148 ITMA CIRs (10 percent) reviewed did not match\ncorresponding IT Registry reports for the security incident response plan data\nelement. Specifically, 11 of 15 IT Registry reports did not record a response for the\nsecurity incident response plan data element, 2 IT Registry reports and their\ncorresponding ITMA CIRs provided responses that did not match, and 2 IT Registry\nreports stated that a security incident response plan was \xe2\x80\x9cnot applicable\xe2\x80\x9d when the\ncorresponding ITMA CIRs identified that a security incident response plan was in\nplace. Table 9 identifies the discrepancy between IT Registry and ITMA Capital\nInvestment Reports for the security incident response plan data element.\n\n\n     Table 9. Comparison of the Security Incident Response Plan Data Element\n            Between IT Registry and ITMA Capital Investment Reports\n\n                                    Systems                 System Reports\n                                    Reviewed                Did Not Agree                  Percent\n Army                                     32                          5                     15.6\n Navy                                     33                          3                       9.1\n Air Force                                19                          2                     10.5\n Defense Agencies                         64                          5                       7.8\n     Total                              148                          15                     10.1*\n *\n  This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\nMission Assurance Category and Mission Criticality. DoD Directive 8500.1,\n"Information Assurance," October 24, 2002, defines the mission assurance categories\n\n\n                                                10\n\x0cand the Deputy CIO Memorandum, "Department of Defense Information Technology\nRegistry Guidance for Fiscal Year 2005," December 21, 2004, defines mission\ncritical, mission essential, and mission support systems (based on requirements found\nin DoD Instruction 5000.2, \xe2\x80\x9cOperation of Defense Acquisition System,\xe2\x80\x9d May 12,\n2003). See Appendix D for definitions of mission assurance categories and mission\ncriticalities from the source documents. The relationship between the definitions is\nthe importance of potential impact should the system become inoperable. For\nexample, if a mission assurance category I or mission critical system would lose\ncapability that loss would severely impact operations. If a mission assurance\ncategory II or mission essential system lost system capability, an organization or\nmission could sustain operations a short period before seriously impacting those\noperations, and the loss of capability for a mission assurance category III or mission\nsupport system would not significantly impact mission effectiveness or operational\nreadiness. The relationship between mission assurance and mission criticality for\n87 of 148 IT Registry Reports (59 percent) was not consistent. Of the 87 IT Registry\nReports:\n\n       \xe2\x80\xa2   37 reports designated the IT system as mission essential with a mission\n           assurance category III;\n\n       \xe2\x80\xa2   18 reports designated the IT system as mission critical with a mission\n           assurance category II;\n\n       \xe2\x80\xa2   13 reports did not designate a mission assurance category;\n\n       \xe2\x80\xa2   11 reports designated the IT system as mission critical with a mission\n           assurance category III;\n\n       \xe2\x80\xa2   4 reports designated IT system as mission essential with a mission\n           assurance category I;\n\n       \xe2\x80\xa2   2 reports indicated that the mission assurance category was \xe2\x80\x9cnot\n           applicable;\xe2\x80\x9d\n\n       \xe2\x80\xa2   1 report designated the IT system as mission support with a mission\n           assurance category I; and\n\n       \xe2\x80\xa2   1 report designated the IT system as mission support with a mission\n           assurance category II.\n\nTable 10 identifies the discrepancy between the mission assurance category and\nmission criticality data elements in the IT Registry.\n\n\n\n\n                                     11\n\x0c                  Table 10. Comparison Between Mission Assurance Category and\n                      Mission Criticality Data Element in IT Registry Reports\n\n                                           Systems                System Reports\n                                          Reviewed                Did Not Agree                 Percent\n      Army                                     32                         12                      37.5\n      Navy                                     33                         23                      69.7\n      Air Force                                19                         12                      63.2\n      Defense Agencies                         64                         40                      62.5\n          Total                               148                         87                      58.8*\n      *\n       This is the percent of the total system reports that did not agree and the total systems reviewed.\n\n\n\n     Appendix C identifies the 148 IT systems reviewed and those systems with\n     inaccurate and incomplete information for security data elements in the IT Registry\n     and in ITMA and the inconsistencies between the mission assurance and mission\n     criticality categories in IT Registry reports.\n\n     The inconsistencies identified would not have occurred if the DoD were compliant\n     with Federal Information Processing Standards Publication (FIPS) 199, \xe2\x80\x9cStandards\n     for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d\n     February 2004. OMB FISMA reporting guidance for both FY 2004 and FY 2005\n     required all Federal agencies to report the security categorization of their IT systems\n     in accordance with the FIPS 199 three levels of potential impact on organizations or\n     individuals should there be a breach of security (i.e., a loss of confidentiality,\n     integrity, or availability). These impact levels are: low, moderate, and high. All\n     agencies must categorize their information and information systems using one of\n     those three categories in order to determine which security controls should be\n     implemented. Because DoD is not compliant with FIPS 199, on April 18, 2005, the\n     Acting ASD(NII)/CIO directed that the mission assurance category level\n     categorizations found in DoD Instruction 8500.2 be utilized to report the status of\n     DoD IT systems populating the IT Registry for FY 2005 FISMA reporting purposes.\n     However, the IT Registry is populated by systems in accordance with their mission\n     critical, mission essential, or mission support status, and the data elements are not\n     necessarily consistent. Adoption of the OMB and Congressionally directed FIPS 199\n     will both resolve this internal DoD inconsistency and preclude aggregation of\n     inconsistent data across the Federal agency spectrum.\n\n\nDoD IT Database Certification and Compliance Statements\n\n     DoD Components did not adhere to DoD policy and guidance when preparing\n     compliance and certification statements. Specifically, DoD Components did not\n     submit timely, accurate, or complete IT Registry certifications and ITMA compliance\n     statements to ASD(NII)/CIO.\n\n\n\n                                                    12\n\x0cInformation Technology Registry Certification Statement. The Deputy CIO\nMemorandum, \xe2\x80\x9cDoD Information Technology Registry Policy Guidance for 2004,\xe2\x80\x9d\nDecember 1, 2003, required that the DoD Component CIO certify in writing that all\nIT systems\xe2\x80\x94including mission critical and mission essential financial IT systems\xe2\x80\x94\nwere properly registered in the IT Registry and that all required data elements were\ncorrect; however, the FY 2005 Deputy CIO Memorandum did not. The FY 2005\nDeputy CIO Memorandum included a certification template which recommended that\nthe Component CIO state that changes to mission critical and mission essential\nsystems were complete and correct; however, the FY 2005 policy memorandum did\nnot require that the Component CIO explicitly state in their certification letter that the\ndata elements for all systems, regardless of change, were complete and correct as did\nthe FY 2004 guidance.\n\nWe reviewed 41 DoD Components for FY 2004 IT Registry certification statements\nand identified that 10 Components (24 percent) did not submit a certification for their\nIT systems. Twenty-eight of 31 Components that submitted certification statements\nstated that all their IT systems were registered in the IT Registry; however, only\n8 Components certified that all required data elements were correct. Additionally,\n24 of the 31 Components (77 percent) submitted certification statements were dated\nafter the July 15, 2004, due date and 4 certifications were not dated.\n\nFor FY 2005, the ASD(NII)/CIO required in the Deputy CIO Memorandum, \xe2\x80\x9cDoD\nInformation Technology Registry Guidance for Fiscal Year 2005,\xe2\x80\x9d December 21,\n2004, that DoD Component CIOs complete their last update to the IT Registry no\nlater than September 1, 2005, six weeks after the July 22, 2005 due date for the\nsubmission of the DoD Component FISMA reports to OSD. Additionally,\nASD(NII)/CIO required that DoD Components provide written IT Registry\ncertifications covering the period October 1, 2004, through September 30, 2005, by\nOctober 15, 2005, one week after the October 7, 2005, deadline for submission of the\nDepartment-wide FISMA report to OMB. ASD(NII)/CIO did not enact sufficient\ncontrols to ensure the accuracy of information in the IT Registry\xe2\x80\x94used to support the\nDoD FISMA reports to OMB and Congress\xe2\x80\x94because IT Registry updates and\nrequired certification statements were permitted after submission of the consolidated\nDoD report to OMB. The DoD report to OMB is based on system data uncertified by\nDoD Components, and OSD has no other internal control mechanism for validating\nthe data utilized for management purposes by OSD, OMB, and Congress.\n\nCapital Investment Report Statements of Compliance. DoD\nRegulation 7000.14-R, volume 2b, chapter 18, required that the DoD Component\nCIO and CFO sign a joint memorandum stating that their budget submissions were\ncomplete; accurately aligned with the primary budget, program and/or acquisition\nmaterials; and consistent with the Clinger-Cohen Act, OMB Circular A-11, the DoD\nCIO guidance memorandums, and the Paperwork Reduction Act. The FY 2006\nBudget Estimate Submission statements of compliance were due to ASD(NII)/CIO\non September 9, 2004.\n\nAll DoD DoD Components were required to submit statements of compliance for\ntheir IT budget requests, but not all Components had major investments requiring\npreparation of an ITMA CIR. Of the 15 Components that submitted ITMA CIRs,\n13 Components submitted statement of compliance memorandums for their\ninvestment information in ITMA, while the Navy and the Defense Commissary\n\n\n                                       13\n\x0c    Agency did not. However, only 2 of the 13 statements were dated on or before the\n    September 9, 2004 due date; 4 of the 13 statements were not signed by both the CIO\n    and the CFO; and 7 statements did not include the required statements that their\n    budget submissions were complete; accurately aligned with the primary budget,\n    program and or acquisition materials; and consistent with DoD and OMB guidance.\n\n\nManagement Controls Over DoD IT Databases\n\n    Information technology system security data elements were not correctly reported in\n    DoD databases because the CIO and CFO communities did not enact sufficient\n    controls or conduct reviews to ensure that the same information was being reported in\n    the IT Registry and ITMA. Recommendations made in two prior DoD IG audit\n    reports identified weaknesses in management controls for accurate, consistent, and\n    efficient reporting of IT system information in DoD IT databases and recommended\n    that the Under Secretary of Defense (Comptroller)/Chief Financial Officer\n    (USD[C]/CFO) and the ASD(NII)CIO enact such controls to mitigate those\n    management weaknesses. Those recommendations, if implemented, would have\n    assisted USD(C)/CFO and ASD(NII)/CIO to implement controls that would have\n    addressed part of the cause discussed in the Finding section of this report.\n\n    DoD IG Report No. D-2003-117, \xe2\x80\x9cSystems Inventory to Support the Business\n    Enterprise Architecture,\xe2\x80\x9d July 10, 2003, recommended the Office of USD(C)/CFO\n    and ASD(NII)/CIO, as part of the Business Modernization and Systems Integration\n    Governance Concept, establish procedures to verify through the architecture domain\n    owners that the data included in the architecture domain database mirror what is\n    included in the IT Registry and any other databases maintained for systems in a\n    particular domain and that the completeness of the data be verified periodically to\n    ensure that the data was kept current, consistent, and accurate to enhance budget\n    decisions and respond to OMB and Congressional reporting requirements.\n    USD(C)/CFO and ASD(NII)/CIO responded on August 15, 2003, that the\n    Department would create an \xe2\x80\x9cintegrated repository\xe2\x80\x9d that would allow the use of\n    current data structures already developed for the IT Registry, the Business\n    Management Modernization Program database, and ITMA to use a single source\n    update to post information to all databases, thus ensuring equality of data for\n    updating the databases. The intent of the \xe2\x80\x9cintegrated repository\xe2\x80\x9d was to use a single\n    source update process to post information to all databases. USD(C)/CFO and\n    ASD(NII)CIO also stated that the common data currently maintained in the\n    IT Registry, the Business Management Modernization Program database, and ITMA\n    would be reconciled to ensure that the initial baseline of data included in the\n    integrated data repository agrees.\n\n    As of October 2005, the \xe2\x80\x9cintegrated repository\xe2\x80\x9d had not been developed, although\n    work is underway to form an IT Management Data Community of Interest at some\n    future time. With passage of the National Defense Authorization Act for FY 2005,\n    section 332, responsibility for management oversight of the Defense business\n    information systems has transferred from USD(C)/CFO to the Defense Business\n    System Management Committee chaired by the Deputy Secretary of Defense.\n    Responsibility to ensure that consistent and accurate information is being reported in\n\n\n\n\n                                          14\n\x0c    DoD IT databases; however, remains with ASD(NII)/CIO as the proponent of both\n    the IT Registry and ITMA (and follow-on databases DITPR and SNaP-IT).\n\n    DoD IG Report No. D-2003-008, \xe2\x80\x9cImplementation of the Government Information\n    Security Reform by the Defense Finance and Accounting Service for the Defense\n    Integrated Financial Systems,\xe2\x80\x9d October 7, 2002, recommended that ASD(NII)/CIO\n    (formally known as the Assistant Secretary of Defense for Command, Control,\n    Communications, and Intelligence) develop effective data integrity controls, in\n    coordination with the DoD Components, that ensure the accuracy, completeness, and\n    validity of information entered in the DoD IT Registry database\n    (Recommendation 1.a.). DoD IG Report No. D-2003-008 also recommended that\n    ASD(NII)/CIO reconcile, on an annual basis, the systems in the IT Registry with\n    those reported by the DoD Component CIO (Recommendation 1.b.). ASD(NII)/CIO\n    concurred with Recommendation 1.a. stating that they expect users to enter data\n    correctly and that they rely on the user\xe2\x80\x99s internal business process to ensure accuracy,\n    completeness, and validity of information. ASD(NII)/CIO also said that they would\n    issue clarifying IT Registry guidance that would address Recommendation 1.a.\n    ASD(NII)/CIO partially concurred with Recommendation 1.b. stating that DoD\n    Component CIOs certify the accuracy of systems on an annual basis and that the new\n    IT Registry guidance would require those Component CIOs to reconcile their mission\n    critical and mission essential data on a quarterly basis and to certify the accuracy of\n    information entered by their organizations.\n\n    ASD(NII)/CIO corrective actions to recommendations in DoD IG Report\n    Nos. D-2003-117 and D-2003-008 remain insufficient to ensure that accurate and\n    complete information is being reported in DoD databases used to report on the\n    security status of DoD IT systems to OMB and to the Congress.\n\n\nConclusion\n\n    The IT system information maintained in the IT Registry and ITMA is unreliable\n    because the DoD CIO and CFO communities failed to enact sufficient controls to\n    ensure the accuracy, consistency and synchronization of Component system data\n    between those DoD databases, as mandated in DoD guidance. In addition, DoD is\n    not in compliance with NIST FIPS 199, \xe2\x80\x9cStandards for Security Categorization of\n    Federal Information and Information Systems.\xe2\x80\x9d The flawed information in the\n    IT Registry and in ITMA is the only means for DoD to report the security status of\n    their IT systems enterprise-wide and is being used to compile reports for FISMA, the\n    Privacy Act, and the E-Authentication reporting requirements, as well as the DoD IT\n    budget request and justification and the DoD response to the requirement of National\n    Defense Authorization Act for FY 2005 section 332. DoD, OMB, and Congressional\n    Committees are making enterprise-wide management decisions concerning\n    IT operations, investments, security, interoperability, and architecture, based upon\n    database reports containing erroneous information. The incorrect, inaccurate, and\n    incomplete information in the current DoD IT databases diminishes the utility of\n    those databases for management oversight purposes. Unless DoD management\n    develops and enforces effective internal quality assurance controls over Component\n    controlled data in the new DITPR and SNaP-IT databases, this situation will\n    continue.\n\n\n\n                                          15\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    We recommend that the Assistant Secretary of Defense for Networks and\n    Information Integration/Chief Information Officer ensure that the information\n    in DoD information technology databases is accurate and complete. Specifically,\n\n    1. Immediately commence utilization of automatic data integrity controls on\n    DoD-wide information technology databases to preclude population of data\n    elements with invalid entries as recommended by the Office of the Inspector\n    General in August 2002.\n\n    Management Comments. The Deputy ASD(NII)/Deputy CIO concurred stating the\n    DoD CIO plans to establish the DoD IT Management Data Community of Interest in\n    December 2005 that will include a net-centric capability for publishing and\n    subscribing to all authoritative IT management data. The process established by the\n    Community of Interest will ensure that data elements across the department are\n    populated and traceable.\n\n    Audit Response. The Deputy ASD(NII)/Deputy CIO comments are partially\n    responsive. We request the Deputy CIO provide detailed information on the\n    Community of Interest initiative to include implementation schedule and responsible\n    offices.\n\n    2. Identify and impose penalties beginning in the first quarter of FY 2006 on\n    those DoD Component Chief Information Officers that did not:\n\n    Management Comments. The Deputy ASD(NII)/Deputy CIO nonconcurred with\n    imposing penalties on the CIO stating that existing mechanism can be strengthened to\n    enforce data integrity.\n\n    Audit Response. The Deputy ASD(NII)/Deputy CIO were nonresponsive. We\n    request the Deputy ASD(NII)/Deputy CIO identify those current and new\n    mechanisms that will be used to strengthen and enforce data integrity within and\n    between DoD databases.\n\n            a. Implement sufficient controls to ensure that all common security data\n    elements in the Information Technology Registry/DoD Information Technology\n    Portfolio Repository and the Information Technology Management\n    Application/Select and Native Programming Information Technology databases\n    are the same;\n\n             Management Comments. The Deputy ASD(NII)/Deputy CIO concurred\n    stating that FISMA, DITPR, and IT budget guidance will reemphasize that each\n    Component CIO is responsible for ensuring that all common security data elements in\n    the IT Registry/DITPR and the ITMA/SNaP-IT databases are the same.\n\n            Audit Response. The Deputy ASD(NII)/Deputy CIO comments were\n    nonresponsive. The issuance of guidance is the first step to implementing sufficient\n    controls to ensure the commonality of security information in DoD databases;\n\n\n                                         16\n\x0chowever, additional controls are required as the inconsistencies in DoD databases has\nbeen an unresolved issue. We first highlighted the need for additional controls in\nDoD IG Report Nos. D-2003-008 and D-2003-117; however, those recommendations\nwere not implemented. Therefore, we request the Deputy ASD(NII)/Deputy CIO\nreconsider this recommendation and implement sufficient controls to ensure that all\ncommon security data elements in the IT Registry/DITPR and ITMA/SNaP-IT are the\nsame.\n\n       b. Reconcile the security data elements in the Information Technology\nRegistry/DoD Information Technology Portfolio Repository and the Information\nTechnology Management Application/Select and Native Programming\nInformation Technology databases at least quarterly to ensure that they are the\nsame; and\n\n        Management Comments. The Deputy ASD(NII)/Deputy CIO partially\nconcurred stating because the IT budget data, collected in SNaP-IT, is done so\nbi-annually and that quarterly reconciliations would be inefficient and provide no\nbenefit. She stated that DoD will establish an automated annual security data\nelements reconciliation process that will be institutionalized through the databases\xe2\x80\x99\nConfiguration Control Boards with results of corrective actions being reported to the\nDoD CIO and CIO Executive Board.\n\n         Audit Response. The Deputy ASD(NII)/Deputy CIO comments were\npartially responsive. The Deputy ASD(NII)/Deputy CIO did not state when she will\nestablish the reconciliation process as part of the databases\xe2\x80\x99 Configuration Control\nBoards, results and status of necessary corrective action reporting.\n\n       c. Populate all required data elements in the Information Technology\nRegistry/DoD Information Technology Portfolio Repository and the Information\nTechnology Management Application/Select Native Programming \xe2\x80\x93 Information\nTechnology databases.\n\n         Management Comments. The Deputy ASD(NII)/Deputy CIO concurred\nstating that the DoD CIO is in the process of developing annual DITPR guidance,\nexpected to be issued in December 2005, that will identify mandatory data elements\nthat must be populated within 90 days. If uncorrected after 90 days, the system will\nbe deleted from DITPR and identified to the DoD CIO. The Deputy\nASD(NII)/Deputy CIO stated that ASD(NII), Resources Directorate, is in the process\nof identifying those data elements that are required in SNaP-IT and issuing those\nrequirements to the SNaP-IT development team.\n\n       Audit Response. The Deputy ASD(NII)/Deputy CIO comments were\nresponsive to the recommendation; therefore, no further comments are required.\n\n3. Include the requirement in all future DoD Information Technology Portfolio\nRepository guidance that DoD Components explicitly certify in writing that the\ninformation in the DoD Information Technology Portfolio Repository is\ncomplete and correct.\n\nManagement Comments. The Deputy ASD(NII)/Deputy CIO concurred stating\nthat in response to the FY 2005 National Defense Authorization Act, the Department\n\n\n                                      17\n\x0crecently issued a Concept of Operations for Investment Review Boards. That\ndocument provides the necessary detail regarding governance, roles, responsibilities,\nprocesses, controls, and reporting requirements to ensure that component IT\ninvestments are visible to the highest levels of DoD and are in compliance with\nmission area guidance and recommendations.\n\nAudit Response. The Deputy ASD(NII)/Deputy CIO comments were\nnonresponsive. We request that the Deputy ASD(NII)/Deputy CIO provide\nadditional comments on this recommendation as she did not state whether she would\nrequire, in all future DITPR guidance, that DoD Components explicitly certify in\nwriting that the information in DITPR is complete and correct. Further, DITPR is the\nauthoritative DoD database for all IT management data, to include the warfighting,\nintelligence, and enterprise information environment mission areas in addition to the\ndefense business systems addressed by the FY 2005 National Defense Authorization\nAct.\n\n4. Review the Information Technology Registry/DoD Information Technology\nPortfolio Repository certifications to ensure that DoD Components are\nsubmitting required certification. Identify and impose sanctions beginning in\nthe first quarter FY 2006 on those DoD Components that do not:\n\n        a. Submit a certification prior to the due date;\n\n        b. Include a date on the certification statement; and\n\n       c. Explicitly state that the information in the Information Technology\nRegistry/DoD Information Technology Portfolio Repository is complete and\ncorrect.\n\nManagement Comments. The Deputy ASD(NII)/Deputy CIO concurred stating\nthat those DoD CIO\xe2\x80\x99s who do not submit a certification prior to the due date, include\na date on the certification statement, and explicitly state that the information in the\nIT Registry/DITPR is complete and correct, will be identified to the DoD CIO and\nrequired to explain their inactions to the DoD CIO Executive Board.\n\nAudit Response. The Deputy ASD(NII)/Deputy CIO comments were responsive to\nthe recommendation; therefore, no further comments are required.\n\n5. Require DoD Components Chief Information Officers in FY 2006 and\nbeyond to submit the Information Technology Registry/DoD Information\nTechnology Portfolio Repository certifications prior to submitting the DoD\nFederal Information Security Management Act Report to the Office of\nManagement and Budget.\n\nManagement Comments. The Deputy ASD(NII)/Deputy CIO concurred stating\nthat certifications will be required annually on the first of September.\n\nAudit Response. The Deputy ASD(NII)/Deputy CIO comments were responsive to\nthe recommendation; therefore, no further comments are required.\n\n\n\n\n                                      18\n\x0c6. Advise the Office of Management and Budget and Congress that DoD does\nnot have viable internal controls over the accuracy of data it is reporting\nconcerning the security of its information technology systems and investments\nand caveat all reports based on data drawn from unreliable databases, such as\nthe Information Technology Registry/DoD Information Technology Portfolio\nRepository and the Information Technology Management Application/Select\nNative Programming \xe2\x80\x93 Information Technology until such time as demonstrably\neffective internal controls have been in place for at least one full year reporting\ncycle.\n\nManagement Comments. The Deputy ASD(NII)/Deputy CIO nonconcurred stating\nthat the FY 2007 Exhibit 300 review process has greatly improved the data quality of\nthe security data submissions in the Exhibit300s. She stated that resource managers\nwere briefed on findings identified by the DoD, Office of the Inspector General on\nthe FY 2006 Exhibit 300s and all Component FISMA IA officials were briefed to\nreview both databases for consistency for the FY 2007 submissions.\n\nAudit Response. The Deputy ASD(NII)/Deputy CIO comments were\nnonresponsive. Although the Deputy ASD(NII)/Deputy CIO stated that the\nExhibit 300 data quality has greatly improved and that IA officials were briefed to\nreview consistency between the databases, the fact remains that internal controls are\nnot effective to ensure the accuracy of reporting the security of DoD IT systems and\ninvestments as inconsistencies still remain. We request that the Deputy\nASD(NII)/Deputy CIO explain the specific internal controls implemented to\nsubstantiate their conclusion that the FY 2007 Exhibit 300 review process has\nimproved the data quality and that briefing Component FISMA officials regarding\ndatabase consistency constitutes an effective internal control.\n\n7. Develop internal control mechanisms other than Component Chief\nInformation Officer and Chief Financial Officer certifications, report the\ndiscrepancies between DoD databases as a material control weakness, and\ndevelop a Plan of Action and Milestones to track and correct conditions.\n\nManagement Comments. The Deputy ASD(NII)/Deputy CIO concurred with the\ndevelopment of internal control mechanisms other than Component CIO and CFO\ncertifications stating that the ITMA application is being re-hosted as a components of\nSNaP-IT. Once re-hosted, the Deputy Assistance Secretary of Defense for Resources\nand the Director, Program Analysis and Evaluation will work toward integrating the\nIT budget with the overall DoD budget and adequate management controls should be\navailable to ensure alignment with the IT budget and the overall DoD budget and the\nStatement of Compliance can be eliminated.\n\nThe Deputy ASD(NII)/Deputy CIO nonconcurred with reporting discrepancies\nbetween DoD databases as a material control weakness and developing a Plan of\nAction and Milestone stating that the inconsistencies do not represent a material\nweakness and that ASD(NII)/CIO has thoroughly examined database requirements\nand identified areas to strengthen the integration of or interface between databases.\n\nAudit Response. The Deputy ASD(NII)/Deputy CIO comments were\nnonresponsive. We request that the Deputy ASD(NII)/Deputy CIO provide the\nmanagement controls that will be used to ensure alignment with the IT budget and the\n\n\n                                      19\n\x0coverall DoD budget. Additionally, we request that the Deputy ASD(NII)/Deputy\nCIO reconsider reporting the discrepancies between authoritative DoD databases for\nthe IT budget and IT data management as a material control weakness and not\ndeveloping a Plan of Action and Milestone.\n\n8. Adopt National Institute of Standards and Technology Federal Information\nProcessing Standards Publication 199 to categorize information and information\nsystems and revise the Information Technology Registry/DoD Information\nTechnology Portfolio Repository and the Information Technology Management\nApplication/Select Native Programming \xe2\x80\x93 Information Technology data\nelements accordingly.\n\nManagement Comments. The Deputy ASD(NII)/Deputy CIO nonconcurred stating\nthat there are fundamental differences between FIPS 199 potential impact definitions\nand DoD Mission Assurance Categories and confidentiality requirements that DoD\nuses to categorize information systems. She explained that the difference is that\nFIPS 199 focuses on potential impact to the organization and is not applicable to\nNational Security Systems while the Mission Assurance Category focuses on impact\nto operational readiness and mission effectiveness.\n\nThe Deputy ASD(NII)/Deputy CIO further stated that DoD IA policy promulgated in\nDoD Instruction 8500.2 is more stringent that FIPS 199 for confidentiality because\nFIPS 199 definition for MODERATE and HIGH impact equate to classified\ninformation for DoD which requires more stringent IA controls that also enhances\nintegrity and availability by restricting both physical and logical access. The Deputy\nASD(NII)/Deputy CIO stated that for integrity, DoD IA policy is more stringent\nbecause it requires absolute integrity at the FIPS 199 MODERATE and HIGH impact\nlevels and that the availability controls can be compared to the three impact levels in\nFIPS 199 and appear essentially equivalent.\n\nAudit Response. The Deputy ASD(NII)/Deputy CIO comments were nonresponsive\nto the recommendation; however, no further comments are required at this time. The\nsubject of applicability of NIST standards and guidelines to DoD National Security\nSystems and non-IT National Security Systems is being pursued between the Deputy\nASD(NII)/Deputy CIO and the DoD, Office of the Inspector General in a separate\nforum.\n\n\n\n\n                                      20\n\x0cAppendix A. Scope and Methodology\n   We reviewed 172 CIRs found in ITMA that DoD submitted to OMB and the\n   Congress with the FY 2006 President\xe2\x80\x99s Budget request. We determined that\n   148 CIRs were IT systems also being reported in the IT Registry for system security\n   reporting purposes under FISMA. The remaining 24 CIRs were identified by\n   program officials as infrastructure, an investment or initiative, or a mission support\n   system; and therefore, were not reported in the IT Registry. We reviewed and\n   compared responses for the following nine security-related data elements in the\n   IT Registry and ITMA: security control test date, accreditation date, accreditation\n   status, accreditation method, accreditation required, system security authorization\n   agreement status, risk management plan, security plan, and security incident response\n   plan. We also reviewed and compared responses in IT Registry individual system\n   reports for mission assurance category and mission criticality data elements. We\n   assessed the consistency of information in reports prepared by DoD Components in\n   the ITMA and IT Registry databases, as well as the internal consistency of security\n   data elements in the IT Registry. The Component data contained in those databases\n   is utilized by OSD to manage the information assurance program of the Department\n   and to make congressionally required reports regarding that program to OMB and\n   Congress.\n\n   We reviewed DoD Component CIO IT Registry certification statements to identify\n   whether all systems were properly registered in the IT Registry and that all required\n   data elements were complete and accurate. We also reviewed ITMA CIR statements\n   of compliance for certification that budget submissions contained required\n   information and were in compliance with DoD policy and guidance.\n\n   We evaluated the reporting process and the completeness of information in\n   IT reports, based on report preparation guidance from the Clinger-Cohen Act, OMB\n   Circular A-11, DoD Regulation 7000.14-R, the DoD CIO FY 2004 and FY 2005 IT\n   Registry guidance memorandums, FISMA, and the Paperwork Reduction Act. We\n   reviewed relevant documents addressing IT reporting guidance for DoD databases\n   dated from July 2004 through September 2005. We met with analysts responsible for\n   IT budget reports and the IT Registry within ASD(NII) to obtain access to IT system\n   reports and to understand the FY 2005 reporting process of the DoD IT systems in\n   various databases.\n\n   We performed this audit from May 2005 through November 2005 in accordance with\n   generally accepted government auditing standards.\n\n   Use of Computer-Processed Data. We did not use computer-processed data to\n   perform this audit.\n\n   Government Accountability Office High-Risk Area. The Government\n   Accountability Office has identified several high-risk areas in DoD. This report provides\n   coverage of the Protecting the Federal Government\xe2\x80\x99s Information-Sharing Mechanisms\n   and the Nation\xe2\x80\x99s Critical Infrastructures high risk area.\n\n\n\n\n                                          21\n\x0cAppendix B. Prior Coverage\n      During the last 5 years, the Government Accountability Office (GAO) and the\n      Department of Defense Inspector General have issued 17 reports discussing the\n      reliability of DoD IT budget submission. Unrestricted GAO reports can be accessed\n      over the Internet at http://www.gao.gov. Unrestricted DoD IG reports can be\n      accessed at http://www.dodig.mil/audit/reports.\n\n\nGAO\n      GAO Report No. GAO-05-552, \xe2\x80\x9cWeaknesses Persist at Federal Agencies Despite\n      Progress Made in Implementing Related Statutory Requirements,\xe2\x80\x9d July 15, 2005\n\n      GAO Report No. GAO-05-381, \xe2\x80\x9cDoD Business System Modernization: Billions\n      Being Invested Without Adequate Oversight,\xe2\x80\x9d April 29, 2005\n\n      GAO Report No. GAO-04-858, \xe2\x80\x9cDefense Acquisitions: The Global Information Grid\n      and Challenges Facing Its Implementation,\xe2\x80\x9d July 28, 2004\n\n      GAO Report No. GAO-04-823, \xe2\x80\x9cFederal Chief Information Officers:\n      Responsibilities, Reporting Relationships, Tenure, and Challenges,\xe2\x80\x9d July 21, 2004\n\n      GAO Report No. GAO-04-615, \xe2\x80\x9cDoD Business System Modernization: Billions\n      Continue to Be Invested with Inadequate Management Oversight and\n      Accountability,\xe2\x80\x9d May 27, 2004\n\n      GAO Report No. GAO-04-731R, \xe2\x80\x9cDoD Business Systems Modernization: Limited\n      Progress in Development of Business Enterprise Architecture and Oversight of\n      Information Technology Investments,\xe2\x80\x9d May 17, 2004\n\n      GAO Report No. GAO-04-115, \xe2\x80\x9cImprovements Needed in the Reliability of Defense\n      Budget Submissions,\xe2\x80\x9d December 19, 2003\n\n\nDoD IG\n\n      DoD Inspector General Report No. D-2005-099, \xe2\x80\x9cStatus of Selected DoD Policy on\n      Information Technology Governance,\xe2\x80\x9d August 19, 2005\n\n      DoD Inspector General Report No. D-2005-094, \xe2\x80\x9cProposed DoD Information\n      Assurance Certification and Accreditation Process,\xe2\x80\x9d July 21, 2005\n\n      DoD Inspector General Report No. D-2005-083, \xe2\x80\x9cReporting of DoD Capital\n      Investments for Information Technology in Support of the FY 2006 Budget\n      Submission,\xe2\x80\x9d June 10, 2005\n\n\n\n\n                                           22\n\x0cDoD Inspector General Report No. D-2005-054, \xe2\x80\x9cDoD Information Technology\nSecurity Certification and Accreditation Process,\xe2\x80\x9d April 28, 2005\n\nDoD Inspector General Report No. D-2005-029, \xe2\x80\x9cManagement of Information\nTechnology Resources Within DoD,\xe2\x80\x9d January 27, 2005\n\nDoD Inspector General Report No. D-2005-023, \xe2\x80\x9cAssessment of DoD Plan of Action\nand Milestone Process,\xe2\x80\x9d December 13, 2004\n\nDoD Inspector General Report No. D-2005-002, \xe2\x80\x9cReporting of DoD Capital\nInvestments for Technology in Support of the FY 2005 Budget Submission,\xe2\x80\x9d\nOctober 12, 2004\n\nDoD Inspector General Report No. D-2004-081, \xe2\x80\x9cReporting of DoD Capital\nInvestments for Information Technology,\xe2\x80\x9d May 7, 2004\n\nDoD Inspector General Report No. D-2003-117, \xe2\x80\x9cSystems Inventory to Support the\nBusiness Enterprise Architecture,\xe2\x80\x9d July 10, 2003\n\nDoD Inspector General Report No. D-2003-008, \xe2\x80\x9cImplementation of the Government\nInformation Security Reform by the Defense Finance and Accounting Service for the\nDefense Integrated Financial System,\xe2\x80\x9d October 7, 2002\n\n\n\n\n                                   23\n\x0cAppendix C. IT Registry and ITMA\n             Systems Reviewed\n                                                             Inconsistent Data Between:\n                                                                            IT Registry\n                                                          IT Registry Mission Assurance\n                                                          and ITMA         and Criticality\n                                                             CIRs            Categories\n                   Army Systems\n1    Advanced Field Artillery Tactical Data System            no               no\n2    All Source Analysis System                               yes              no\n3    Army Airborne Command and Control System                 yes              no\n4    Battle Command Sustainment Support System                yes              no\n5    Combat Terrain Information System                        yes              no\n6    Defense Message Service \xe2\x80\x93 Army                           yes              yes\n7    Distributed Learning System                              no               no\n8    Distributive Training Technology                         yes              no\n9    Electronic Military Personnel System                     yes              yes\n10   Enhanced Position Location Reporting System              yes              no\n11   Enterprise Human Resources System                        yes              yes\n12   Force XXI Battle Command Brigade and Below               yes              no\n13   Forward Area Air Defense Command and Control             yes              no\n     System\n14   General Fund Enterprise Business System                  yes               no\n15   Global Combat Support System \xe2\x80\x93 Army                      yes               no\n16   Global Command and Control System \xe2\x80\x93 Army                 no                no\n17   Guardnet XXI, The Army National Guard\xe2\x80\x99s Wide             yes               no\n     Area Network\n18   Installation Support Module                              yes              yes\n19   Joint Computer-Aided Acquisition and Logistics           yes              yes\n     Support\n20   Joint Tactical Radio System \xe2\x80\x93 Cluster 1                  yes              yes\n21   Joint Tactical Radio System \xe2\x80\x93 Joint Program Office       yes              yes\n     (JPO)\n22   Logistics Modernization Program                          yes              yes\n23   Maneuver Control System                                  yes              no\n24   Personnel Enterprise Support \xe2\x80\x93 Automation                yes              yes\n25   Reserve Component Automation System                      yes              yes\n26   Secure Mobile Anti-Jam Reliable Tactical-Terminal        yes              no\n27   Single Channel Ground and Airborne Radio System          yes              no\n28   Tactical Operation Centers                               yes              yes\n\n\n\n\n                                             24\n\x0c                                                            Inconsistent Data Between:\n                                                                           IT Registry\n                                                         IT Registry Mission Assurance\n                                                         and ITMA         and Criticality\n                                                            CIRs            Categories\n            Army Systems (cont\xe2\x80\x99d)\n29   Transportation Coordinators\xe2\x80\x99 Automated                  no                no\n     Information for Movements System II\n30   US Army Accessions Command Integrated                   yes               no\n     Automation Architecture\n31   US MEPCOM Integrated Resource System                    yes              yes\n32   Warfighter Information Network - Tactical               yes              no\n\n\n                   Navy Systems\n1    Automated Teller Machines \xe2\x80\x93 At Sea                      yes              no\n2    Aviation Supply Chain and Maintenance \xe2\x80\x93                 no               yes\n     Enterprise Resource Planning\n3    Baseline Advanced Industrial Management Express         yes              yes\n4    Claimant Financial Management System                    yes              yes\n5    Deployable Joint Command and Control                    yes              no\n6    Electronic Acquisition 21                               yes              yes\n7    Electronic Commerce/Electronic Data Interchange         yes              no\n8    Electronic Military Personnel Records System            no               yes\n9    Finance and Air Clearance Transportation System         yes              yes\n10   Global Combat Support System \xe2\x80\x93 Marine Corps             yes              yes\n11   Global Command and Control System \xe2\x80\x93 Maritime            yes              no\n12   Maritime Corps Total Force System \xe2\x80\x93 Personnel           yes              yes\n13   Material Finance Control System                         no               no\n14   Military Sealift Command Financial Management           no               no\n     System\n15   Multifunctional Information Distribution System \xe2\x80\x93       yes              yes\n     Low Volume Terminal\n16   Navair Depot Maintenance System                         yes              yes\n17   Navair Program Management - Enterprise                  yes              yes\n     Resource Planning\n18   Navsea Navy Enterprise Maintenance Automated            no               yes\n     Information System \xe2\x80\x93 Enterprise\n19   Navy Air Force Interface                                yes              yes\n20   Navy.com                                                yes              no\n21   Navy Distance Learning System                           yes              yes\n22   Navy Enterprise Resource Planning                       yes              no\n\n\n\n\n                                             25\n\x0c                                                             Inconsistent Data Between:\n                                                                            IT Registry\n                                                          IT Registry Mission Assurance\n                                                          and ITMA         and Criticality\n                                                             CIRs            Categories\n             Navy Systems (cont\xe2\x80\x99d)\n23   Navy Marine Corps Intranet (NMCI)                        yes              yes\n24   Navy Mission Planning System                             yes              yes\n25   Navy Standard Integrated Personnel System                yes              yes\n26   Navy Tactical Command Support System                     yes              no\n27   Shipyard Management Information Systems \xe2\x80\x93                yes              yes\n     Infrastructure\n28   SPAWAR Financial Management \xe2\x80\x93 Enterprise                 yes              yes\n     Resource Planning\n29   Standard Labor Data Collection and Distribution          yes              yes\n     Accounting\n30   Support Equipment Resource Management                    yes               no\n     Information System\n31   Trident Logistics Data System                            yes              yes\n32   Uniform ADP \xe2\x80\x93 Inventory Control Points                   yes              yes\n33   Uniform ADP System \xe2\x80\x93 Stock Points                        yes              yes\n\n                Air Force Systems\n1    Advanced Distributive Learning System                    yes              no\n2    Air Force Mission Support System                         yes              yes\n3    Battle Control System \xe2\x80\x93 Mobile                           yes              no\n4    Cheyenne Mountain Complex/Tactical Warning \xe2\x80\x93             yes              yes\n     Attack Assessment\n5    Combat Information Transport System                      yes              no\n6    Depot Maintenance Accounting and Production              no               yes\n     System\n7    Financial Information Resource System                    yes              yes\n8    Fuels Automated Management System Sustainment            yes              no\n     \xe2\x80\x93 Air Force\n9    Global Broadcast Service                                 yes              yes\n10   Global Combat Support System- Air Force                  yes              yes\n11   High Frequency Global Communications System              no               yes\n12   Integrated Logistics System \xe2\x80\x93 Supply                     yes              yes\n13   Integrated Maintenance Data System                       yes              no\n14   Integrated Strategic Planning and Analysis Network       yes              no\n15   Mobility Command and Control                             no               no\n16   National Airspace System                                 yes              yes\n17   Stock Control System                                     yes              yes\n\n\n\n\n                                             26\n\x0c                                                              Inconsistent Data Between:\n                                                                             IT Registry\n                                                           IT Registry Mission Assurance\n                                                           and ITMA         and Criticality\n                                                              CIRs            Categories\n           Air Force Systems (cont\xe2\x80\x99d)\n18     Theater Battle Management Core Systems                  yes              yes\n19     Theater Deployable Communications                       no               yes\n\n\n             Defense Agency Systems\nDefense Finance and Accounting System\n1      Defense Cash Accountability System                      yes               yes\n2      Defense Civilian Pay System                             yes               yes\n3      Defense Departmental Reporting System                   yes               yes\n4      Defense Industrial Financial Management System          yes               yes\n5      Defense Joint Military Pay System \xe2\x80\x93 Active and          yes               yes\n       Reserve Components\n6      Defense Working Capital Fund Accounting System          yes               yes\n7      DFAS Corporate Database/Warehouse                       no                yes\n8      DFAS Electronic Business/Electronic Commerce            yes               no\n9      E-Biz/Business Management Redesign                      yes               yes\n10     Electronic Document Management Program                  no                no\n11     Forward Compatible Payroll                              yes               yes\n12     General Accounting and Finance System                   yes               yes\n13     Marine Corps Total Force System                         yes               yes\n14     Mechanization of Contract Administration Services       yes               yes\n15     Standard Accounting and Reporting System                yes               yes\n16     Standard Accounting Budgeting and Reporting             yes               yes\n       System\nDefense Logistics Agency\n17     Business Systems Modernization \xe2\x80\x93 Energy                 yes               yes\n18     Distribution Standard System                            no                yes\n19     DLA Business Systems Modernization                      no                yes\n20     DoD Emall                                               yes               yes\nU.S. Transportation Command\n21     Defense Enterprise Accounting and Management            yes               no\n       System\n22     Global Air Transportation Execution System              yes               yes\n23     Global Decision Support System                          no                no\n24     Global Transportation Network 21                        yes               yes\n\n\n\n\n                                                27\n\x0c                                                            Inconsistent Data Between:\n                                                                           IT Registry\n                                                         IT Registry Mission Assurance\n                                                         and ITMA         and Criticality\n                                                            CIRs            Categories\n      Defense Agency Systems (cont\xe2\x80\x99d)\nTRICARE Management Agency\n25     Defense Blood Standard System                         yes               no\n26     Defense Medical Human Resource System Internet        no                yes\n27     Defense Medical Logistics Standard System             yes               no\n28     Defense Occupational and Environmental Health         no                yes\n       Readiness System\n29     Enterprise Wide Scheduling and Registration           yes               yes\n30     Executive Information/Decision Support                no                yes\n31     Expense Assignment System IV                          yes               yes\n32     Military Computer-Based Patient Record                yes               yes\n33     Theater Medical Information Program                   no                yes\n34     Third Party Outpatient Collection System              yes               no\n35     TRANSCOM (Medical) Regulating and Command             yes               no\n       and Control Evacuation System\n36     TRICARE Online                                        yes               yes\nDefense Human Resource Agency\n37     Defense Civilian Personnel Data System                yes               no\n38     Defense Enrollment Eligibility Reporting System       yes               yes\n39     Defense Integrated Military Human Resources           yes               no\n       System\n40     Protect Information \xe2\x80\x93 Common Access Card              yes               yes\nOffice of the Secretary of Defense\n41     Defense Travel System                                 yes               yes\n42     High Performance Computing Modernization              yes               yes\n43     Long-Range Planning and Analytical Support            yes               yes\n       System\nDefense Information Systems Agency\n44     Advanced Information Technology Services Joint        yes               no\n       Program Office\n45     Central Contractor Registration                       no                no\n46     Common Operating Environment                          yes               yes\n47     Defense Enterprise Computing Centers                  no                no\n48     Defense Information System Network                    yes               no\n49     Defense Message System                                no                no\n50     Defense Technical Information Center                  yes               no\n51     DoD Teleport                                          yes               no\n52     Electronic Document Access                            no                no\n\n\n\n\n                                             28\n\x0c                                                          Inconsistent Data Between:\n                                                                         IT Registry\n                                                       IT Registry Mission Assurance\n                                                       and ITMA         and Criticality\n                                                          CIRs            Categories\n      Defense Agency Systems (cont\xe2\x80\x99d)\nDefense Information Systems Agency (cont\xe2\x80\x99d)\n53     Global Combat Support System                        no                no\n54     Global Command and Control System \xe2\x80\x93 Joint           yes               no\n55     Global Exchange                                     no                yes\n56     Joint Interoperability Test Command                 yes               yes\n57     Net Centric Enterprise Services                     yes               no\n58     White House Communications Agency                   yes               no\n59     Wide Area Workflow                                  yes               no\nDefense Commissary Agency\n60     Point of Sales                                      yes               yes\n61     Commissary Advanced Resale Transaction System       yes               yes\nAmerican Forces Information Services\n62     Network Support \xe2\x80\x93 Armed Forces Information          yes               no\n       Services\nMissile Defense Agency\n63     Computing Infrastructure                            yes               yes\nDefense Contract Management Agency\n64     Standard Procurement System                         yes               yes\n\n\n\n\n                                            29\n\x0cAppendix D. Mission Assurance Category and\n            Mission Criticality Definitions\n\nMission Assurance Categories1                                           Mission Criticalities2\n\nMission Assurance Category I: Systems                                   Mission Critical: A system in which the loss\nhandling information that is determined to be                           would cause the stoppage of warfighter\nvital to the operational readiness or mission                           operations or direct mission support of warfighter\neffectiveness of deployed and contingency forces                        operations.\nin terms of both content and timeliness. The\nconsequences of loss of integrity or availability\nof a mission assurance category I system are\nunacceptable and could include the immediate\nand sustained loss of mission effectiveness.\nMission assurance category I systems require the\nmost stringent protection measures.\n\nMission Assurance Category II: Systems                                  Mission Essential: A system that the acquiring\nhandling information that is important to the                           Component Head determines basic and necessary\nsupport of deployed and contingency forces. The                         for the accomplishment of the organizational\nconsequences of loss of integrity are                                   mission.\nunacceptable. Loss of availability is difficult to\ndeal with and can only be tolerated for a short\ntime. The consequences could include delay or\ndegradation in providing important support\nservices or commodities that may seriously\nimpact mission effectiveness or operational\nreadiness.\n\nMission Assurance Category III: Systems                                 Mission Support: A system that is neither\nhandling information that is necessary for the                          mission critical nor mission essential.\nconduct of day-to-day business, but does not\nmaterially affect support to deployed or\ncontingency forces in the short-term. The\nconsequences of loss of integrity or availability\ncan be tolerated or overcome without significant\nimpacts on mission effectiveness or operational\nreadiness. The consequences could include the\ndelay or degradation of services or commodities\nenabling routine activities.\n\n\n1\n    Defined in DoD Directive 8500.1, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002.\n2\n Defined in DoD Instruction 5000.2, \xe2\x80\x9cOperation of Defense Acquisition System,\xe2\x80\x9d May 12, 2003 and Deputy CIO Memorandum, \xe2\x80\x9cDepartment\nof Defense Information Technology Registry Guidance for FY 2005,\xe2\x80\x9d December 21, 2004.\n\n\n\n\n                                                                     30\n\x0cAppendix E. Summary of Data Elements Reviewed\n       We reviewed 148 IT systems\xe2\x80\x9432 Army, 33 Navy, 19 Air Force, and 64 Defense\n       Agency\xe2\x80\x94for consistent information between data elements in IT Registry reports and\n       ITMA Capital Investment Reports. The following table summarizes, by data element\n       and DoD Component, the 148 systems reviewed.\n\n                                                                            Air       Defense\n                                                    Army       Navy        Force      Agencies     Totals\n                                 Inconsistent\n       Security Control                               27         27          15             43      112\n 1                                 Systems\n          Test Date\n                                    Percent          84.4       81.8        78.9            67.2   75.7*\n                                 Inconsistent\n                                                      12         12           8             17      49\n 2    Accreditation Date           Systems\n                                    Percent          37.5       36.4        42.1            26.6   33.1*\n                                 Inconsistent\n         Accreditation                                 5          6           5              3      19\n 3                                 Systems\n            Status\n                                    Percent          15.6       18.2        26.3            14.1   12.8*\n                                 Inconsistent\n         Accreditation                                 2          2           4              4      12\n 4                                 Systems\n           Method\n                                    Percent           6.3        6.1        21.1            6.3     8.1*\n                                 Inconsistent\n         Accreditation                                 1          2           2              1       6\n 5                                 Systems\n          Required\n                                    Percent           3.2        6.1        10.5            1.6     4.1*\n                                 Inconsistent\n       System Security                                 4          8           2              2      16\n                                   Systems\n 6      Authorization\n       Agreement Status             Percent          12.5       24.2        10.5            3.1    10.8*\n                                 Inconsistent\n      Risk Management                                  5          3           2              6      16\n 7                                 Systems\n            Plan\n                                    Percent          15.6        9.1        10.5            9.4    10.8*\n                                 Inconsistent\n                                                       5          5           2              4      16\n 8       Security Plan             Systems\n                                    Percent          15.6       15.2        10.5            6.3    10.8*\n                                 Inconsistent\n       Security Incident                               5          3           2              5      15\n 9                                 Systems\n        Response Plan\n                                    Percent          15.6        9.1        10.5            7.8    10.1*\n *\n  This the percent between the total inconsistent systems and the total systems reviewed.\n\n\n\n\n                                                     31\n\x0cAppendix F. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director, Defense Business Transformation Agency\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/Chief Information\n   Officer\nAssistant Secretary of Defense for Health Affairs/Chief Information Officer\nAssistant Secretary of Defense for Intelligence Oversight/Chief Information Officer\nChief Information Officer, Office of the Secretary of Defense\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\nChief Information Officer, Department of Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of the Navy\nChief Information Officer, U.S. Marine Corps\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\n\n\n\n                                            32\n\x0cUnified Commands\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Southern Command\nChief Information Officer, U.S. Joint Forces Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. Transportation Command\nChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nChief Information Officer, American Forces Information Service\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Finance and Accounting Agency\nChief Information Officer, Defense Human Resource Activity\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Department of Defense Education Activity\nChief Information Officer, Department of Defense Inspector General\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, DoD Test Resources Management Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, TRICARE Management Agency\nChief Information Officer, U.S. Mission North Atlantic Treaty Organization\nChief Information Officer, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                            33\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee on\n   Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International Relations,\n   Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations, and\n   the Census, Committee on Government Reform\n\n\n\n\n                                           34\n\x0c    Assistant Secretary of Defense for Networks and\n    Information Integration/Chief Financial\n    Officer Comments\n\n\n\n\n.\n\n\n\n                            35\n\x0c36\n\x0c37\n\x0c38\n\x0c39\n\x0c40\n\x0c41\n\x0cTeam Members\n   The Department of Defense Office of the Deputy Inspector General for Auditing,\n   Acquisition and Technology Management prepared this report. Personnel of the\n   Department of Defense Office of Inspector General who contributed to the report are\n   listed below.\n\n   Kathryn M. Truex\n   Karen J. Lamar\n   Robert R. Johnson\n   Rebecca S. Courtade\n\x0c'